Should personal devices be allowed on your network? One group says yes

Many businesses balk at the idea of letting employees access company data on personal computing devices. But one group is actually recommending the practice as a way to save money.

The National Association of State CIOs (NASCIO) is encouraging cash-strapped state governments to rethink their bans on using personal smartphones and other devices for work purposes.

As the thinking goes, employees want to work on their personal devices anyway, and many states don’t have room in the budget to buy smartphones for users. So they can get a productivity for a minimal cost by letting those personal devices onto the network.

Many states are already heeding that advice. Almost half (14 out of 36) of the states surveyed by NASCIO said they already allow employees to do this. If this proves effective, other companies may follow suit.

Of course, there’s one thing standing in the way: security. So NASCIO’s recommendation comes with a caveat — make sure personal devices are secure before giving them access to data by taking these steps:

  1. Have IT approve devices before they’re given network access — some smartphones are more secure than others
  2. Require that personal smartphones be equipped with security features such as remote wipe, antivirus software, firewalls, password protection and encryption
  3. Disable unnecessary features such as Bluetooth connectivity, which could allow attackers to connect to the phone and steal data, and
  4. Only give users access to the parts of the network they need for their jobs.

Does your company allow employees to use personal devices for work purposes? If so, what steps have you taken to keep company data safe? Let us know in the comments section below.

Read NASCIO’s full report here.

  • Al

    We used to allow personal devices because upper management likes their toys. During the recent economic slowdown, budgets were cut and staffing was reduced. However, response time to issues needed to be maintained. During analysis of main time consumers of end user issues, guess what was #1? Dealing with personal devices. The amount of time for end user handholding at a standard hourly rate FAR exceeded the cost of the personal devices.

    I suppose for a gov’t agency where full time employment is more important than generating a profit, any decision that maximizes manpower is a good thing, but in the private sector, I would have to say this is misguided.

  • KK

    Just because it MAY save money doesn’t mean it’s a good thing to do. Personal devices need routine maintenance, security upadtes and user training. Once these soft costs are added in, is it really cost effective? Allowing personal devices is NOT in my confort zone or budget.

  • Craig

    Al is spot on. The cost of additional staff to support every device imaginable will likely overwhelm any up front cost savings.

    The recommendations NASCIO list are nice but given that you will not have control over the device how to you maintain those settings? Audit those settings? Re-apply those settings when needed?

    This is a very myopic move. Any organization with PI, PCI, HIPPA, etc., data to protect will not be able to defend this practice in court if it is found they are the source of a data leak. There are so many reasons to not do this and if the only reason to do it is to save on some up front costs then agencies and companies had better do a really good job of capturing the likely costs. It amazes me how initiatives such as this always fail to properly account for the real, true, costs.

  • Al

    It is clear that these CIOs, did NOT consult with their respective Attorneys General about this recommendation. As this practice is clearly a security vulnerability in many information security standards – without legal tools in place such as non-disclosure statements, pre-consent search authority of personal equipment used on business networks, a private sector business could find itself not only in hot water for loss of control of the information, but lack the ability to retrieve or safeguard the information after an employee’s departure.

  • SEAN R.

    What prevents an employee using an authorized personal device to access sensitive data on the organization’s network, and maintaining it on their device when the are discharged from employment? You cannot just ‘sieze’ the device…that is sure to raise all sorts of 4th Amendment concerns.

    If the device is considered a personal device, and not corporate-owned, how do you effectively ensure data removal has been accomplished successfully, and more importantly….Who owns the data now on the personal device? I do not think that complete data removal can be done, but I am open to options/suggestions.

    Lastly, How can an employer use data stored on an employee’s personal device ‘against’ said employee who has violated some organization’s internet usage policy (ex. explicit texting, immoral website surfing, etc.) ?

    In my opinion, personal devices have no place in a have no place on a corporate\oragnizational network…the ‘Cons’ far outweigh the “Pros”. The convenience of having access to data, can have huge ramifications down the road. I am curious as to how other states have addressed even some of what I have concerns about, as well as those raised by others.